index=_internal sourcetype=splunkd OR sourcetype=splunkd_access | stats latest(sourcetype) as sourcetype | eval sourcetypeidx=case(sourcetype=”splunkd”,2,sourcetype=”splunkd_access”,1) | rangemap field=sourcetypeidx severe=0-1 low=2-4 default=low
How to Check When Splunk is finished Indexing a log file
How can I tell when Splunk is finished indexing a log file? (Credit for this one goes to learnsplunk.com author who originally posted it on his website) By watching data from splunk’s metrics log in real-time. ************************************************************ index=”_internal” source=”*metrics.log” group=”per_sourcetype_thruput” series=”your_sourcetype_here” | eval MB=kb/1024 | chart sum(MB) ************************************************************ or to watch everything happening split by […]
Apache access_logs status code reporting
index=apache sourcetype=access_combined | chart count(eval(like(status,”2%”))) AS Success, count(eval(like(status,”4%”) OR like(status,”5%”))) AS Error by status ###this query is to report on status code description##### index=apache source=”/var/log/httpd/access_log” | timechart count by status_description useother=f # Find Website Status Over time index=apache sourcetype=access_combined| timechart count by status_type limit=10 usenull=f # Reports on Webserver error 500. index=apache sourcetype=access_combined status_type=”Server Error” […]
Splunk Query to report on users logging on to the Splunk Web Console
index=_audit tag=authentication info=succeeded |dedup user | table user timestamp
Low Disk Space Alert for Windows Servers
eventtype=hostmon_windows Type=Disk host=”*” FileSystem=”*” DriveType=”*” | dedup host, Name | eval FreeSpacePct=round(FreeSpaceKB/TotalSpaceKB*100) | eval TotalSpaceGB=round(TotalSpaceKB/1024/1024) | eval FreeSpaceGB=round(FreeSpaceKB/1024/1024) | search FreeSpacePct<10 TotalSpaceGB=”*” | dedup host, Name, DriveType, TotalSpaceGB, FreeSpaceGB, FreeSpacePct | table host, Name, DriveType, TotalSpaceGB, FreeSpaceGB, FreeSpacePct | sort FreeSpacePct
